Data Processing Agreement
Effective date: 15 April 2026 · Last updated: 15 April 2026
This DPA forms part of the agreement between you (“Merchant”, “Data Controller”) and Voxel Digital trading as Briezo (“Processor”) for the processing of personal data through the Briezo platform. By connecting your store, you accept this DPA.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable individual, as defined under applicable Data Protection Laws (GDPR, Australian Privacy Act 1988, CCPA/CPRA, POPIA, or equivalent).
“Processing” means any operation performed on Personal Data, including collection, storage, hashing, transmission, analysis, and deletion.
“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
“Data Protection Laws” means GDPR (EU), Australian Privacy Act 1988, CCPA/CPRA (California), POPIA (South Africa), PIPEDA (Canada), and any other applicable data protection legislation.
2. Scope of Processing
Briezo processes the following categories of Personal Data on behalf of the Merchant:
| Data Category | Examples | Purpose | Retention |
|---|---|---|---|
| Customer identifiers | Email, phone, name, address | Server-side event matching (CAPI), RFM segmentation | Hashed at ingestion; plain email retained only for Klaviyo sync if enabled by Merchant |
| Order data | Order ID, total, products, timestamps | Revenue attribution, LTV prediction, incrementality measurement | Duration of Merchant account + 30 days |
| Behavioural events | Page views, add-to-cart, checkouts | Conversion tracking, funnel analysis | Rolling 12 months |
| Ad platform tokens | Meta, TikTok, Google, Klaviyo API tokens | Server-side event delivery, spend sync, audience sync | Encrypted at rest (AES-256-GCM); deleted on disconnection |
3. Processor Obligations
Briezo shall:
- Process Personal Data only on documented instructions from the Merchant (i.e., the features the Merchant enables in Settings).
- Ensure all personnel with access to Personal Data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organisational measures to protect Personal Data, including:
- AES-256-GCM encryption of all stored API tokens and credentials
- SHA-256 hashing of customer PII (email, phone, address) before storage
- Consent-gated processing (strict mode by default; PII stripped when consent not granted)
- HTTPS/TLS encryption for all data in transit
- Infrastructure-level disk encryption via hosting provider
- Helmet.js security headers including CSP and HSTS
- Rate limiting on authentication and API endpoints
- Not engage Sub-processors without prior notification to the Merchant (see Section 5).
- Assist the Merchant in responding to data subject access requests (DSARs) and exercising data subject rights.
- Delete or return all Personal Data upon termination of the agreement, at the Merchant's choice.
- Notify the Merchant without undue delay (and within 72 hours) upon becoming aware of a Personal Data breach.
4. Merchant (Controller) Obligations
The Merchant shall:
- Ensure a lawful basis exists for the processing of customer Personal Data (e.g., legitimate interest for server-side conversion tracking, consent where required).
- Maintain an appropriate privacy policy on their storefront that discloses the use of third-party analytics and server-side event processing.
- Configure consent mode settings in Briezo to match their jurisdiction's requirements.
- Not submit special category data (health, biometric, political, religious data) to Briezo unless explicitly agreed in writing.
5. Sub-processors
Briezo uses the following Sub-processors to deliver its services:
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Railway | Application hosting | US (Oregon) | All application data (encrypted at rest) |
| Meta Platforms | Conversions API event delivery | US / EU | Hashed customer identifiers, order values |
| TikTok | Events API delivery | US / Singapore | Hashed customer identifiers, order values |
| Enhanced Conversions delivery | US / EU | Hashed customer identifiers, order values | |
| Klaviyo | Event enrichment and audience sync | US | Email (plain), segment, LTV, order data |
| Anthropic | AI-powered analytics and insights | US | Aggregated store metrics (no PII) |
| Shopify | Store data source (webhooks, API) | US / Canada | Orders, customers, products |
Briezo will notify the Merchant at least 14 days in advance of adding or replacing a Sub-processor. The Merchant may object within that period. If the objection cannot be resolved, the Merchant may terminate the agreement.
6. International Data Transfers
Where Personal Data is transferred outside the Merchant's jurisdiction, Briezo ensures appropriate safeguards are in place:
- EU/EEA to US: EU-US Data Privacy Framework (where applicable) or Standard Contractual Clauses (SCCs).
- Australia: Compliant with Australian Privacy Principle 8 — reasonable steps to ensure overseas recipients handle data consistently with the APPs.
- Other jurisdictions: Appropriate safeguards as required by the applicable Data Protection Laws.
7. Security Measures
Briezo implements the following security measures:
- Encryption at rest: API tokens encrypted with AES-256-GCM; database disk encryption via infrastructure provider.
- Encryption in transit: All connections over HTTPS/TLS 1.2+.
- PII minimisation: Customer identifiers hashed with SHA-256 at ingestion. Plain email retained only where operationally required (Klaviyo sync).
- Access controls: Per-store authentication with ownership validation on every API call. Admin endpoints separately gated.
- Webhook verification: Shopify webhooks verified via HMAC-SHA256 with timing-safe comparison.
- Dependency management: Automated vulnerability scanning; 0 known vulnerabilities as of April 2026.
- Killswitch: Global, per-store, and per-platform emergency stop for all event processing.
- DLQ redaction: Failed event payloads have tokens and PII redacted before dead-letter storage.
8. Data Breach Notification
In the event of a Personal Data breach, Briezo will:
- Notify the Merchant via email within 72 hours of becoming aware of the breach.
- Provide details of the nature of the breach, categories of data affected, approximate number of data subjects, and measures taken to mitigate.
- Cooperate with the Merchant and any supervisory authority in investigating and remediating the breach.
9. Data Deletion and Return
Upon termination of the Merchant's account:
- Briezo will delete all Personal Data within 30 days, unless retention is required by law.
- The Merchant may request a data export (via Settings → Account → Export Data) before account closure.
- Shopify GDPR webhooks (customers/data_request, customers/redact, shop/redact) are processed automatically.
10. Audit Rights
The Merchant (or their appointed auditor) may request information about Briezo's data processing practices to verify compliance with this DPA. Briezo will make available all information reasonably necessary to demonstrate compliance and allow for audits, subject to reasonable notice and confidentiality obligations.
11. Duration and Termination
This DPA is effective for the duration of the Merchant's use of Briezo. It terminates automatically when the Merchant deletes their account. Sections 7 (Security), 8 (Breach Notification), 9 (Deletion), and 10 (Audit) survive termination.
12. Contact
For questions about this DPA or to exercise any rights:
Voxel Digital (trading as Briezo)
ABN 92 611 517 994
Email: hello@briezo.com
Privacy page: /privacy